The Mozilla Foundation is currently working on an interesting new approach to browser security - and one which could see an end to cross-site scripting attacks once and for all.
The technology, known as Content Security Policy, is described by the Foundation as aiming to "prevent malicious code from being injected into a Web site and executed within the content of that site
" - in other words, cross-site scripting. Accordingly, CSP "[prevents] the creation of script code from potentially tainted strings.
According to BetaNews
, the technology is likely to see its first public release as part of Firefox 3.7 - the point release after next - but predicts that the technology will need wider adoption than just in the Firefox browser in order to gain support from the web development community. To further this end, the technology is being made freely available for other browser manufacturers to implement.
Mozilla's security program manager Brandon Sterne has made a preview release of Firefox 3.7 which includes the CSP technology available from his blog
for those who want to try it out - but don't expect miracles: the technology requires that a website includes a Content Security Policy header defining which sites are allowed to embed active resources in the page. As few sites are currently including such a header, the downloadable demonstration is restricted to a test page
on Sterne's website.
While wide-scale adoption will be required for web developers to take the technology seriously, it's good to see browser programmers innovating in this area: cross-site scripting attacks account for one of the most common methods of malware and virus infection around, and while solutions such as the NoScript
plugin for Firefox are good for the tech-savvy, a fully standardised and integrated system built into the browser itself will help protect many more people from attack.
Do you support Mozilla's efforts with the CSP technology, or will it just make the job of web developers that much harder without providing any real security - especially if it lies dormant on sites that don't bother to provide the header? Share your thoughts over in the forums